The Heartbleed Bug

The Heartbleed Bug is a vulnerability that was discovered on April 7th in the code that some servers and websites us for secure communication. The vulnerability directly affects any security connections that utilize OpenSSL. OpenSSL is a mechanism used by some web sites, web service, and servers to establish secure communications between you and the server.

Why does this matter?

If you have connected to a web site or service that has used the vulnerable version of OpenSSL over the last 2 years, there is the potential that the security of that connection was compromised. This is a wide-spread vulnerability as many sites and services use OpenSSL.

What is Wentworth doing?

After this vulnerability was made public, Wentworth Technology Services began running tests against all internet-facing web servers to test for the presence of this vulnerability. None have been discovered as the majority of the servers utilized by the Institute do not utilize OpenSSL. We are continuing our investigation to ensure that all internal servers as well as those used for our externally-hosted services are free of this vulnerability. For any vulnerable server that we find, we will address through applying updates and patches. We will continue to keep you posted through our Information Security website at http://www.wit.edu/dts/security, our security blog at blogs.wit.edu/security, and via Twitter @InfoSec_WIT.

What should you do?

First of all, don’t panic. This vulnerability and how to address it is well known throughout the security community and most sites that are potentially affected by this bug are in the process of fixing or have already done so. A complete list of affected sites is not known. What we encourage you to do is check with the sites that you have a password for. Most sites will have a link or prominent notice indicating what they are doing to address this bug.

Below are some practices we suggest you follow to keep yourself safe:

Wait to perform any online banking or transactions with online retailers until they indicate it is safe to do so. After a notice has been posted or emailed to you, reset your password with that site.

Reset passwords directly at the site. Be suspicious of any emails you receive requesting you to click on a link that takes you to a password reset page. Although many of them will be legitimate, there is the possibility that it could be a phishing email. Instead of clicking the link, copy and paste the link on the address bar on your browser or go directly to the site and look for their password reset page. (For Wentworth, we encourage users to always go directly to the password reset page that can be accessed through the Information Security site’s home page at the link above.)

DO NOT reply to any emails asking for sensitive information, regardless of how legitimate it looks. No reputable site or company should ever ask you to email any sensitive information via email (such as ssn, credit card numbers, or passwords).

If you suspect you are receiving any illegitimate emails, please forward them to SPAM@wit.edu.

For any questions, please contact the Technology Service Help Desk at 617-989-4984 or via email at HelpDesk@wit.edu.

For more information on the Heartbleed bug, visit heartbleed.com, posted by the researchers that discovered the vulnerability.